How to Enforce a 300 ms Rate Limit on HTTP POST Requests to Prevent Auto‑Clicks

Forum|Forum|7 months ago
October 12, 2025
2 replies
542 views

We’re trying to mitigate users who employ auto‑clicker or automation tools that repeatedly send HTTP POST requests every 100 milliseconds. Our goal is to restrict each user to a maximum of 1 request per 300 milliseconds, and to return HTTP 429 (Too Many Requests) if that limit is exceeded.

We’re looking for the best way to implement this restriction within a Fortinet environment—specifically using FortiWeb or FortiGate if possible.

Can FortiWeb’s Rate Limiting or Bot Mitigation features be configured to apply per‑client‑IP or session with a millisecond‑level interval?

If not, what’s the most effective configuration to approximate a 300 ms threshold (e.g., through request‑per‑second rules, anomaly detection profiles, or custom WAF policies)?

Are there any best practices or sample configurations to handle legitimate bursts without blocking valid users?

Any guidance or example policies for achieving this kind of fine‑grained rate control would be greatly appreciated.

FortiWEB

AEK

SuperUser

Did you try with DoS policy?

https://docs.fortinet.com/document/fortiweb/8.0.1/administration-guide/276350/dos-prevention

AEK

Mostafa85Author

New Member

Tanks for reply
Yes, I have checked the DoS policy documentation. It only supports request rate limiting in seconds, not in milliseconds. I am specifically looking for a way to enforce a limit based on milliseconds.

AEK

SuperUser

As per my knowledge the smallest unit for this in FWB is one second.

So if you need to limit the requests to 1 per 300ms, then you can just limit it to 3 per second.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded